b'      Department of Homeland Security\n\n\n\n\n            Federal Emergency Management Agency \n\n                      Privacy Stewardship\n\n\n\n\n\nOIG-13-87                                           May 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n                                       May 1, 2013\n\nMEMORANDUM FOR:              Richard Serino\n                             Deputy Administrator\n                             Federal Emergency Management Agency\n\nFROM:                        Frank Deffer\n                             Assistant Inspector General\n                             Office of Information Technology Audits\n\nSUBJECT:                     Federal Emergency Management Agency Privacy\n                             Stewardship\n\n\nAttached for your action is our final report, Federal Emergency Management Agency\nPrivacy Stewardship. We incorporated the formal comments from the Federal\nEmergency Management Agency in the final report.\n\nThe report contains four recommendations aimed at improving privacy stewardship\nwithin the Federal Emergency Management Agency. Your office concurred with all\nrecommendations. As prescribed by the Department of Homeland Security Directive\n077-1, Follow-Up and Resolutions for the Office of Inspector General Report\nRecommendations, within 90 days of the date of this memorandum, please provide our\noffice with a written response that includes your (1) agreement or disagreement, (2)\ncorrective action plan, and (3) target completion date for each recommendation. Also,\nplease include responsible parties and any other supporting documentation necessary\nto inform us about the current status of the recommendation. Until your response is\nreceived and evaluated, the recommendations will be considered open and unresolved.\n\nConsistent with our responsibility under the Inspector General Act, we are providing\ncopies of our report to appropriate congressional committees with oversight and\nappropriation responsibility over the Department of Homeland Security. We will post\nthe report on our website for public dissemination.\n\nPlease call me with any questions, or your staff may contact Marj Leaming, Director,\nSystem Privacy Division, at (202) 254-4172.\n\nAttachment\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\nTable of Contents\nExecutive Summary............................................................................................................. 1 \n\n\n\nBackground ......................................................................................................................... 2 \n\n\n\nResults of Audit ................................................................................................................... 6 \n\n\n\n           Efforts To Improve Privacy Stewardship................................................................. 6 \n\n           \n\n           FEMA Needs To Address Compliance With Privacy Requirements ........................ 7 \n\n           Recommendation.................................................................................................. 10 \n\n           Management Comments and OIG Analysis .......................................................... 10 \n\n           \n\n           Privacy Protection Weak at Disaster Relief Sites .................................................. 11 \n\n           Recommendations ................................................................................................ 17 \n\n           Management Comments and OIG Analysis .......................................................... 17 \n\n           \n\n           FEMA-wide Privacy Training and Awareness ........................................................ 18 \n\n           Recommendation.................................................................................................. 19 \n\n           Management Comments and OIG Analysis .......................................................... 20 \n\n\nAppendixes\n\n\n           Appendix A:           Objectives, Scope, and Methodology ........................................... 21 \n\n           Appendix B:           Management Comments to the Draft Report .............................. 22 \n\n           Appendix C:           Legislation, Memoranda, Directives, and Guidance Related to the \n\n                                 FEMA Privacy Stewardship Audit .................................................. 25 \n\n           Appendix D:           Component-Level Privacy Officer Designation and Duties ........... 27 \n\n           Appendix E:           TAFISMA Systems That Affect Privacy: Compliance Status ......... 28 \n\n           Appendix F:           FEMA Unauthorized Information Technology Systems \n\n                                 Memorandum ............................................................................... 32 \n\n           Appendix G:           DHS Fair Information Practice Principles at Work ........................ 34 \n\n           Appendix H:           Culture of Privacy Survey .............................................................. 36 \n\n           Appendix I:           Major Contributors to This Report ............................................... 37 \n\n           Appendix J:           Report Distribution ....................................................................... 38 \n\n\x0c                   OFFICE OF INSPECTOR GENERAL\n                      Department of Homeland Security\n\n\nAbbreviations\n     CIO        Chief Information Officer\n     DHS        Department of Homeland Security\n     FEMA       Federal Emergency Management Agency\n     FEKC       FEMA Employee Knowledge Center\n     FISMA      FederalfInformationfSecurityfManagementfActfoff2002\n     IT         information technology\n     NEMIS      National Emergency Management Information System\n     OCIO       Office of the Chief Information Officer\n     OIG        Office of Inspector General\n     OMB        Office of Management and Budget\n     PII        personally identifiable information\n     PIA        privacy impact assessment\n     PTA        privacy threshold analysis\n     SORN       system of records notice\n     TAFISMA    Trusted AgentfFederalfInformationfSecurityfManagementfAct\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nExecutive Summary\nWe performed an audit of the Federal Emergency Management Agency\xe2\x80\x99s (FEMA) privacy\nstewardship. Our audit objectives were to determine whether FEMA\xe2\x80\x99s plans and\nactivities instill a culture of privacy that protects sensitive personally identifiable\ninformation and whether FEMA ensures compliance with Federal privacy laws and\npolicies.\n\nFEMA has made progress in implementing plans and activities to instill a culture of\nprivacy. Specifically, it has established a privacy office that, among other functions,\nprepares reports on FEMA\xe2\x80\x99s privacy activities to the Department of Homeland Security\nPrivacy Office, reviews suspected privacy incidents, and oversees FEMA\xe2\x80\x99s privacy\ntraining. However, FEMA faces a number of challenges in ensuring that personally\nidentifiable information is protected. Specifically, it needs an accurate inventory of its\ninformation technology systems that impact privacy. In addition, FEMA needs to\ncomplete required privacy compliance analyses, including privacy threshold analyses,\nprivacy impact assessments, and system of records notices, for 430 information\ntechnology systems that were reported as unauthorized.\n\nFEMA also must address challenges with protecting personally identifiable information\nat disaster relief sites. Specifically, FEMA needs to conduct privacy assessments at\ndisaster relief sites to improve accountability, identify risks, and implement appropriate\nprivacy safeguards for the protection of personally identifiable information collected\nduring field operations. In addition, FEMA needs to provide specialized field training to\nthe disaster relief workforce, including procedures on properly collecting and handling\npersonally identifiable information from applicants immediately after a disaster.\n\nFinally, although FEMA has implemented a standardized privacy training course, it does\nnot have an effective system to enforce the employee training requirement. We are\nmaking four recommendations to FEMA, which if implemented, should improve privacy\nstewardship and enhance protection of personally identifiable information.\n\n\n\n\nwww.oig.dhs.gov                              1                                     OIG-13-87\n\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\nBackground\nThe PrivacyfActfoff1974f(PrivacyfAct), as amended, imposes various requirements on\nagencies whenever they collect, use, maintain, or disseminate personally identifiable\ninformation (PII) in a system of records.1 The Department of Homeland Security (DHS)\ndefines PII as any information that permits an individual to be identified directly or\nindirectly from any information that can be linked to that individual regardless of\nwhether the individual is a U.S. citizen, lawful permanent resident, visitor to the United\nStates, employee, or contractor to the Department. Federal laws, regulations, policies,\nand guidelines set the minimum standards for handling PII. Appendix C lists\nrequirements related to FEMA\xe2\x80\x99s privacy stewardship.\n\nTo accomplish its mission to prepare for, prevent, respond to, and recover from\ndomestic disasters and emergencies, FEMA collects, uses, maintains, or disseminates\nsignificant amounts of PII daily. FEMA has more than 7,300 full-time employees at\nHeadquarters, 10 regional offices, 3 national processing service centers, 2 mail\nprocessing centers, and additional sites across the country. FEMA also has more than\n10,400 temporary employees who are available for deployment to disaster areas, as\nneeded. Figure 1 lists three key purposes for which FEMA collects PII from the public.\n\nFigure 1. Key Purposes for Collection of Personally Identifiable Information\n     Purposes for\n                         From Whom or What                            PII That May Be Collected\n      Collection\n                      Flood insurance applicants,\n                                                       Name, information on insurance claims, building\n    Flood Insurance   agents, policy holders, and\n                                                       contents, and payments\n                      companies\n                      State, territorial, and tribal   Grant information, organization name, bank routing and\n                      officials; port and transit      account number, Social Security or employer identification\n    Grants\n                      authorities; nonprofit           number, point of contact\xe2\x80\x99s work and email addresses, and\n                      organizations; and companies     numbers for work phone, cell phone, and fax\n    Disaster                                           Name, address, Social Security number, birth date, phone,\n    Recovery          Individuals                      disaster-related damage information, insurance\n    Assistance                                         information, and financial information\n\nSource: FEMA Privacy Impact Assessments\n\nThrough its disaster assistance application process, FEMA collects PII from applicants\neach year. For example, more than 1,500,000 disaster applicants completed the\nregistration process in 2008. Following Hurricane Katrina, FEMA collected PII from more\nthan 2,000,000 applicants. Figure 2 illustrates the flow of applicant PII in the disaster\nassistance application process. FEMA sends applicant PII to the National Emergency\nManagement Information System (NEMIS), an information technology (IT) system that\n\n1\n A system of records is a group of any records under the control of any agency from which information is retrieved by\nthe name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.\n\nwww.oig.dhs.gov                                          2                                               OIG-13-87\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\nsupports disaster response and recovery operations. NEMIS maintains the PII of more\nthan 2,000,000 current applicants.\n\nFigure 2. Flow of PII in FEMA\xe2\x80\x99s Disaster Assistance Application Process\n\n\n\n\nSource: OIG analysis of FEMA process\n\nWorkers deployed to disaster relief sites help survivors by empathizing with them,\nexplaining available disaster relief programs, and listening carefully to understand their\nneeds. Workers collect applicant PII to register them for essential services and discuss\ntheir case status. Figure 3 shows the variety of environments where FEMA conducts\ndisaster relief operations.\n\n\n\n\nwww.oig.dhs.gov                               3                                   OIG-13-87\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\nFigure 3. Environments for Disaster Response and Recovery \n\n\n\n\n\nSource: FEMA\n\nAn agency\xe2\x80\x99s culture of privacy reflects the extent to which its executives, managers, and\nemployees understand, implement, and enforce its commitment to protect privacy and\ncomply with legislative and DHS mandates. The promotion of an effective culture of\nprivacy leads to shared attitudes, goals, and practices that comply with the requirements\nfor proper handling of PII. The Privacy Office assists system and program managers in\nconducting reviews to identify privacy risks related to their specific processes and\nimplementing an appropriate privacy stewardship framework.2 This framework includes\nmanagement accountability, physical or IT safeguards, specialized privacy training, as\nwell as coordination among privacy, legal counsel, IT, and records management services.\n\nAccording to the Federal Chief Information Officer (CIO) Council, BestfPractices:ff\nElementsfoffafFederalfPrivacyfProgram, protecting privacy is a core consideration for\nevery Federal agency, and it is best achieved when it is an integral part of the agency\xe2\x80\x99s\nbusiness operations.3 Privacy must be considered as part of policy assessment,\nprogrammatic decision-making, and business operations; privacy should not be an\nafterthought. The agency\xe2\x80\x99s managers monitor and enforce Federal privacy laws and\npolicies to establish effective privacy oversight.\n\n\n2\n  In this report, \xe2\x80\x9csystem and program manager\xe2\x80\x9d refer to the agency employee who is responsible for the operation\nand management of the system to which a System of Records Notice pertains. IT system managers, and program\nmanagers are responsible for preparing privacy compliance documentation for technologies, rulemakings, programs,\nand activities. These managers may be located at FEMA headquarters, regions, or disaster relief sites.\n3\n  The Privacy Committee of the Federal Chief Information Officer Council improves agency practices for the protection\nof privacy, serving as the interagency coordination group for Senior Agency Officials for Privacy and Chief Privacy\nOfficers in Federal Government. The Privacy Committee has five subcommittees: Best Practices, Innovation and\nEmerging Technology, International, Identity Management, and Development and Education. The Best Practices\nSubcommittee is a forum to develop and promote best practices for Federal privacy programs and policies.\n\nwww.oig.dhs.gov                                          4                                               OIG-13-87\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\nOn June 5, 2009, the DHS Deputy Secretary issued the DHSfMemorandumfDesignationfoff\nComponentfPrivacyfOfficers, which directed 10 components, including FEMA, to designate\na senior-level Federal employee as a full-time Privacy Officer who reports directly to the\ncomponent head. FEMA has designated a full-time Privacy Officer. The present location\nof the Privacy Office is in the Office of the Chief Administrative Officer. Figure 4 shows\nhow the Privacy Officer reports through the Headquarters Mission Support Bureau to\nthe FEMA Administrator.\n\nFigure 4. FEMA Privacy Office Placement\n\n\n\n\nSource: OIG analysis of FEMA organizational chart\n\n\n\n\n\nwww.oig.dhs.gov                                      5                          OIG-13-87\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\nResults of Audit\n          Efforts To Improve Privacy Stewardship\n\n          FEMA has made progess in developing a culture of privacy and addressing\n          compliance with privacy requirements. FEMA established its Privacy Office in\n          2006. In 2011, the Privacy Officer reorganized staff assignments to promote\n          information sharing with staff and other mission support areas, such as legal\n          counsel, IT, and records management. The Privacy Office supports key projects,\n          such as the Identity Theft Project and the Social Media Program.\n\n          Privacy Office staff perform their responsibilities in accordance with DHS\n          Management Instruction 047-01-001, PrivacyfPolicyfandfCompliance. f(See\n          appendix D for a list of all privacy office duties.) Key responsibilities include the\n          following:\n\n          \xe2\x80\xa2\t Provide reports on FEMA\xe2\x80\x99s privacy activities and accomplishments to the DHS\n             Privacy Office for reporting to Congress or the Office of Management and\n             Budget (OMB);\n\n          \xe2\x80\xa2\t Review suspected and confirmed privacy incidents, provide an analysis of\n             ways to minimize the loss of PII, evaluate the reasonable risk of harm, and\n             ensure that privacy incidents have been properly mitigated, consistent with\n             DHS Privacy Office PrivacyfIncidentfHandlingfGuidance;4\n\n          \xe2\x80\xa2\t Provide updates on the status of FEMA\xe2\x80\x99s privacy management to the DHS\n             Privacy Office, pursuant to the FederalfInformationfSecurityfManagementfActf\n             off2002 (FISMA);5\n\n          \xe2\x80\xa2\t Advise managers on information sharing that involves the receipt or\n             disclosure of PII;\n\n          \xe2\x80\xa2\t Oversee FEMA privacy training and provide educational materials consistent\n             with mandatory and supplementary training developed by the DHS Privacy\n             Office; and\n\n4\n  A privacy incident is the loss of control, compromise, or situations in which persons other than authorized users\nhave access or potential access to PII in usable form, whether physical or electronic, or in which authorized users\naccess PII for an unauthorized purpose.\n5\n  The FederalfInformationfSecurityfManagementfActfoff2002fdirects agencies to identify security and privacy risks\ninherent in their systems, develop ways to mitigate those risks, and report to OMB the results of ongoing system\nassessments.\n\nwww.oig.dhs.gov                                            6\t                                               OIG-13-87\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n\n       \xe2\x80\xa2\t Coordinate with system and program managers, together with the DHS\n          Privacy Office and FEMA counsel, to complete privacy compliance analyses\n          and documentation for systems of records to meet the requirements of the\n          PrivacyfAct.\n\n       The FEMA Privacy Office has a plan and schedule to complete privacy compliance\n       analyses for the 74 IT systems that have documented authorization to operate.\n       The compliance process begins with a privacy threshold analysis (PTA), a\n       required document that serves as the official determination by the DHS Privacy\n       Office as to whether a Department program or system has privacy implications.\n       Based on the results of the PTA, additional privacy compliance documentation\n       may be required, such as a privacy impact assessment (PIA) and system of\n       records notice (SORN). As of May 2012, 46 of the 74 (62 percent) IT systems had\n       PTAs. The FEMA Privacy Office had improved its privacy scores for the systems\n       holding PII from 80 percent in July 2011 to 97 percent in July 2012, by having a\n       PIA for 37 of the required 38 (97 percent) systems that required additional\n       privacy analysis. A PIA is a decision-making tool used to identify and mitigate\n       privacy risks at the beginning of and throughout the development life cycle of a\n       program or system. It helps the public understand what PII the Department is\n       collecting; why it is being collected; and, how it will be used, shared, accessed,\n       and stored.\n\n       In addition, FEMA published SORNs in the FederalfRegister to address 45 systems\n       with PII. A SORN is a formal notice to the public that identifies the purpose for\n       which PII is collected, from whom and what type of PII is collected, how the PII is\n       shared externally (routine uses), and how to access and correct any PII maintained\n       by the Department. FEMA\xe2\x80\x99s SORNs and PIAs are also available on the DHS\n       Privacy Office\xe2\x80\x99s public website. (Appendix E contains the names and compliance\n       status of the systems that affect privacy.) However, as discussed in the following\n       sections, FEMA continues to face challenges in identifying a complete inventory\n       of PII holdings and ensuring that it is protecting PII component-wide.\n\n       FEMA Needs To Address Compliance With Privacy Requirements\n\n       FEMA needs to take additional measures to ensure that PII is protected. At least\n       430 recently identified rogue or unauthorized IT systems are neither in FEMA\xe2\x80\x99s\n       inventory nor in compliance with both Federal privacy and security laws and\n\n\n\n\nwww.oig.dhs.gov                             7\t                                   OIG-13-87\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n         policies.6 The Office of the Chief Information Officer (OCIO), as well as system\n         and program managers, need to coordinate with the Privacy Office to plan and\n         conduct necessary PTAs, PIAs, and SORNs to meet privacy requirements. By not\n         ensuring privacy compliance of IT systems, FEMA may be placing PII at\n         unnecessary risk.\n\n         IT Systems Inventory Is Not Complete\n\n         FEMA is hindered in meeting its privacy compliance requirements because it\n         does not have an accurate inventory of its IT systems. According to OMB\n         Memorandum M-07-16,fSafeguardingfAgainstfandfRespondingftofthefBreachfoff\n         PersonallyfIdentifiablefInformation (OMB M-07-16), agencies are required to\n         review their holdings of all PII and ensure that they are accurate, relevant,\n         timely, and complete.7 FEMA uses a software application, Trusted Agent Federal\n         Information Security Management Act (TAFISMA), to track its inventory of\n         electronic PII holdings, including the 38 authorized IT systems that have been\n         identified as having impacted privacy.8\n\n         However, FEMA\xe2\x80\x99s TAFISMA inventory is incomplete. All holdings of PII have not\n         been identified, documented, or authorized. Because there are unauthorized IT\n         systems in operation that may not comply with Federal privacy and IT security\n         laws and policies, FEMA is at risk of both Federal privacy and IT security laws and\n         policies. Specifically, as of April 2012, at least 430 IT systems had been reported\n         to the OCIO as unauthorized, in response to the UnauthorizedfInformationf\n         TechnologyfSystemsfMemorandum, dated March 2012. (See appendix F.) This\n         memorandum directed all FEMA offices to report to the OCIO any systems that\n         were in development or operating without government authority. We reviewed\n         detailed reports on a sample of 226 of these unauthorized IT systems, which\n         appeared to function as 170 administrative systems, 36 financial systems, and 20\n         program-related systems. These other systems support the following programs:\n         the Federal Insurance and Mitigation Administration, United States Fire\n         Administration, Protection and National Preparedness, and the Office of\n\n6\n  FEMA\xe2\x80\x99s UnauthorizedfInformationfTechnologyfSystemsfMemorandum (dated March 13, 2012) characterizes rogue\nsystems as those IT systems that are not properly documented and approved to operate by the Chief Information\nOfficer and unauthorized systems as those IT systems that do not possess a recognized Federal Government\ncertification and accreditation. For this report, we use \xe2\x80\x9cunauthorized\xe2\x80\x9d to refer to either rogue or unauthorized\nsystems.\n7\n  IT systems, programs, technologies, pilot projects, information sharing, records, and rule-making may impact privacy\nor hold PII.\n8\n  The DHS Office of the Chief Information Officer uses TAFISMA as its software application to track major IT systems\nand general support systems, including those that affect privacy. TAFISMA contains privacy and IT security\ncompliance documentation.\n\nwww.oig.dhs.gov                                           8                                               OIG-13-87\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n         Response and Recovery. The FEMA OCIO and Privacy Officer will need a process\n         to ensure that a timely review of privacy status can be made.\n\n         In May 2012, system and program managers had not provided the Privacy Office\n         with essential information in a timely manner so that the office could assist them\n         with initial privacy compliance analysis and determination. In addition, the\n         Privacy Officer requested information from the OCIO on all unauthorized IT\n         systems. This information is necessary for the Privacy Office to begin privacy\n         compliance analyses. As of August 2012, the Privacy Officer had not received the\n         information because OCIO was reviewing the 430 unauthorized IT systems to\n         determine whether each system was a duplicate, a subsystem, an application\n         already recorded in TAFISMA, or a temporary data extract that could be\n         decommissioned or deleted. However, when we asked what would be a more\n         timely solution, the FEMA CIO and Privacy Officer recommended that they\n         address the unauthorized systems in tandem and resolve the various compliance\n         issues posed by them.\n\n         Privacy Threshold Analyses for Unauthorized IT Systems\n\n         The DHS Privacy Office requires the completion of a PTA, using its template,\n         when components propose new systems of records or make significant changes\n         to existing systems.9 The PTA must be updated every 3 years. The DHS template\n         for a PTA will guide the analysis to determine the extent to which each of the\n         newly identified IT systems impacts privacy. Then, system and program\n         managers must coordinate PTA preparation with the FEMA Privacy Office. The\n         DHS Privacy Office will review each PTA to determine the type of information it\n         contains, the extent to which it impacts privacy, whether it requires a PIA, and\n         whether an existing or new SORN is required.\n\n         Privacy Impact Assessments for Unauthorized IT Systems That Affect Privacy\n\n         DHS components must conduct PIAs of all systems that collect, use, maintain, or\n         disseminate PII, consistent with the E-GovernmentfActfoff2002. According to\n         DHSfPrivacyfOfficefPolicyfGuidancefMemorandumf2008-02, the completion of\n         the DHS template for a PIA requires analysis, including that of technologies\n         employed, life cycle of the PII in the system, and specific privacy risks and their\n         mitigation.\n\n\n9\n The privacy threshold analysis establishes the intended purpose of the system, identifies the system owner, and\nproposes types of PII collected and maintained by the system, such as the presence of Social Security numbers.\n\nwww.oig.dhs.gov                                          9                                               OIG-13-87\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n         The FEMA Privacy Office estimates that it may need 4 to 6 weeks to assess each\n         of those unauthorized IT systems that the DHS Privacy Office determines will\n         require a PIA. The assessment will necessitate comments and analysis by system\n         and program managers, legal counsel, OCIO, and the Headquarters Mission\n         Support Bureau, as well as its workers in each of the 10 regions who perform\n         onsite services for IT, acquisitions, security, and records management. Staff\n         from external agencies may be involved, such as the DHS Privacy Office\xe2\x80\x99s\n         compliance division, agencies that receive or share PII with FEMA, or OMB.10\n\n         System of Records Notices for Unauthorized IT Systems\n\n         The PrivacyfAct requires agencies to issue a public notice for every system of\n         records under their control. Based on a review of the PTAs, the DHS Privacy\n         Office determines which of the unauthorized IT systems will require a new SORN\n         or will be covered by an existing SORN.\n\n         The FEMA Privacy Office estimates that it may take 4 to 6 weeks to complete\n         each SORN that will be required for the identified unauthorized IT system. The\n         review will require information from system and program managers, legal\n         counsel, OCIO, and the Headquarters Mission Support Bureau. Also, staff from\n         the DHS Privacy Office and DHS Office of General Counsel will be involved.\n\n         Recommendation\n\n         We recommend that the Deputy Administrator of FEMA:\n\n         Recommendation #1:\n\n         Implement a plan and timeline to identify and assess 430 unauthorized systems,\n         and complete appropriate documentation to mitigate privacy risks in the\n         unauthorized systems that contain PII.\n\n         Management Comments and OIG Analysis\n\n         We obtained written comments on a draft of this report from the Associate\n         Administrator of FEMA\xe2\x80\x99s Office of Policy, Program Analysis and International\n         Affairs. (See appendix B.)\n\n10\n  OMB clearance under the PaperworkfReductionfAct off1995f(44 U.S.C. 3501 et seq.) is required for FEMA to conduct\nfederally sponsored data collections involving 10 or more respondents unless an exemption applies. The general\npurpose of the PaperworkfReductionfAct is to minimize the paperwork burden created by the Federal Government in\ncollecting information.\n\nwww.oig.dhs.gov                                        10                                              OIG-13-87\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n\n       FEMA concurred with our findings and recommendation #1. FEMA\xe2\x80\x99s Office of\n       Chief Information Officer confirmed that it is making progress with its review of\n       the unauthorized systems and is anticipating that less than 430 unauthorized\n       systems will need to undergo further privacy compliance analysis and\n       documentation. We consider this recommendation open and unresolved.\n\n\n       Privacy Protection Weak at Disaster Relief Sites\n\n       FEMA has not taken adequate steps to mitigate privacy risks to PII collected at its\n       disaster relief sites. During our audit, we identified instances in the disaster\n       assistance process where applicant PII was vulnerable at all 24 disaster relief\n       sites that we visited in Alabama, California, Georgia, Indiana, Kentucky,\n       Maryland, Texas, and Virginia. (See appendix A for details about the sites.) To\n       address these vulnerabilities, FEMA needs to conduct privacy assessments at\n       disaster relief sites. It also needs to provide specialized field training for disaster\n       workers who handle PII.\n\n       Privacy Safeguards Needed\n\n       The PrivacyfAct requires agencies to implement technical, physical, and\n       administrative safeguards to ensure the security and confidentiality of records.\n       These safeguards also should protect against any anticipated threats or hazards\n       that could result in substantial harm to individuals from whom information is\n       collected. Specifically, PII could be compromised when it was overheard when\n       applicants talked to disaster workers in person or over the telephone, or when\n       PII was entered into laptops that do not have encryption software, left\n       unsecured in stacks of paper awaiting application processing, and disposed of by\n       using improper equipment. We identified the lack of the following privacy\n       safeguards during our visits to 24 disaster relief sites:\n\n       \xe2\x80\xa2\t IT Safeguards: Regional IT managers and specialists are responsible for\n          deploying encryption software to the laptops that are used at disaster relief\n          sites. They estimated that less than 25 percent of the laptops that disaster\n          workers used to collect PII had encryption software. We also observed that\n          the laptops at 17 of 24 disaster relief sites did not have encryption software\n          installed. Even if encryption software was installed, disaster workers do not\n          always encrypt email attachments that contain PII. For example, a contractor\n          emailed an unencrypted spreadsheet of 5,070 applicants\xe2\x80\x99 PII to an\n          unintended recipient\xe2\x80\x99s email address. The PII included full names, addresses,\nwww.oig.dhs.gov                              11                               \t     OIG-13-87\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n           and insurance payout amounts for applicants participating in the National\n           Flood Insurance Program. The contractor later received training on\n           encrypting email attachments, and the Privacy Office worked with the field\n           office to notify the affected applicants.\n\n           Further, at all 24 sites, we observed instances of disaster workers not\n           securing their laptops when stepping away from them. During a 3-year\n           period (2010 to 2012), FEMA reported that 73 laptops were either stolen or\n           lost; PII on these laptops could be stolen, lost, or compromised.\n\n       \xe2\x80\xa2\t Physical Safeguards: At all 24 disaster relief sites, we observed unsecured\n          paper copies of applicant PII awaiting disposal or entry into NEMIS. In\n          addition, 15 of 24 disaster relief sites either lacked cabinets or had storage\n          equipment that did not meet privacy and security requirements. Disaster\n          workers at four sites reported taking applicant files to their hotels to\n          safeguard PII because they did not have locked storage capacity at the sites.\n          Further, disposal equipment at these sites did not meet privacy and security\n          requirements, as specified byfFEMAfStandardfOperatingfProcedure:ffElectronicf\n          andfHardfCopyfMediafSanitizationfandfRelease. Figure 5 shows examples of\n          unsecured storage and inadequate disposal of applicant PII.\n\n           Figure 5. Inadequate Physical Safeguards at Disaster Relief Sites\n\n\n\n\n           Source:ffOIG\n\n       \xe2\x80\xa2\t Administrative Safeguards: Regional offices identify the location for disaster\n          relief sites and send preassembled \xe2\x80\x9cDisaster Go\xe2\x80\x9d kits to the field managers\n          who are setting up the sites. Each regional office customizes the content and\n\nwww.oig.dhs.gov                           12                             \t     OIG-13-87\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n           materials that are included in the kits, based on the nature of the disaster\n           and the particular environment of the specified disaster relief site. As shown\n           in figure 6, the following are examples of two types of Disaster Go kits.\n           However, regional and field managers had not considered adding pertinent\n           privacy materials into these kits.\n\n           Figure 6. Examples of Disaster Go Kits\n\n\n\n\n           Source: OIG\n\n           a.\t Sign kits help the disaster applicants locate the FEMA disaster recovery\n               center. However, the inclusion of some privacy-related materials would\n               help increase awareness of the need to protect applicant PII, such as the\n               DHSfPrivacyfOffice\xe2\x80\x99sfHowfTofSafeguardfPersonallyfIdentifiablef\n               InformationfFactsheet, privacy posters, and instructions for workers on\n               encrypting email attachments.\n\n           b.\t Contracting kits include paper copies of contract forms for use when\n               electricity, computers, or Internet access is unavailable. However, this kit\n               does not contain privacy clauses from FEMA or the FederalfAcquisitionf\n               Regulation that establish contractors\xe2\x80\x99 privacy responsibilities and\n               accountability.\n\n       Privacy Assessments Needed at Disaster Relief Sites\n\n       Periodic privacy assessments can help managers reduce risk and build\n       accountability for privacy compliance. Specifically, FEMA managers need to\n       conduct privacy assessments to determine where specific privacy safeguards can\n       be incorporated when they establish disaster relief sites and hire staff in\n       response to a disaster. Annually, FEMA faces the challenge of protecting PII when\n       disaster workers collect, use, maintain, or disseminate this information for more\n       than 1,000,000 applicants under varying work conditions and environments.\n       According to OMBfMemorandumfM-12-20,fFYf2012fReportingfInstructionsfforfthef\n\nwww.oig.dhs.gov                             13                             \t      OIG-13-87\n\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\n         FederalfInformationfSecurityfManagementfActfandfAgencyfPrivacyfManagement,\n         agencies are required to identify and address gaps in privacy compliance,\n         management, operational, and technical controls by conducting regular\n         assessments. In addition, according to ThefFairfInformationfPracticefPrinciplesfatf\n         Work, managers must build accountability into their programs through activities\n         such as periodic reviews.11 (See appendix G for the eight privacy principles.)\n         Regardless of the location of the disaster relief site, which may be in a building,\n         stadium, tent, mobile unit, or another accommodation, FEMA work processes\n         and environments must meet privacy requirements.\n\n         Field managers whom we interviewed were concerned that the chaotic nature of\n         the disaster response and relief work could place PII at risk, but had not\n         considered the option of conducting a privacy assessment. For example, in 2011,\n         cadres of temporary employees, contractors, and volunteers assisted applicants\n         at nearly 500 disaster relief sites for periods ranging from 1 day to 3 months.\n         However, FEMA has not conducted privacy assessments to help determine the\n         risks and extent to which privacy protections are needed at these sites. Until\n         field managers identify and mitigate the privacy vulnerabilities in processes,\n         flow, and handling of applicant PII during higher risk operations and at disaster\n         relief sites, FEMA will continue to expose PII to risk.\n\n         Specialized Field Training Needed for Disaster Relief Workforce\n\n         More than 10,400 temporary workers (disaster workers) process the PII of\n         disaster survivors. FEMA faces challenges in protecting PII if this temporary work\n         force has not received appropriate privacy training. Specifically, FEMA has not\n         provided specialized field training to workers on how to protect and control\n         applicant PII when collecting and handling it after a disaster. According to OMB\n         M-07-16, specialized or advanced training is an effective way to improve\n         employee understanding of privacy responsibilities in their daily work activities.\n\n         At the 24 disaster relief sites that we visited, managers explained that training for\n         disaster workers is often not completed because there is little time between\n         reporting for duty and when they must begin helping disaster survivors. In\n         addition, managers noted that the standardized privacy training is web-based\n         and Internet connectivity is not always available following a disaster. Further,\n         according to field managers and disaster workers we interviewed, the content of\n\n11\n  DHSfPrivacyfOfficefPolicyfGuidancefMemorandumf2008-02frequires reviews of processes, programs, IT systems,\nrule-making, or technologies that may impact privacy. In addition, the DHS Privacy Office also exercises its authority\nunder Section 222 of thefHomelandfSecurityfAct to ensure that technologies sustain and do not erode privacy\nprotections, through the conduct of privacy compliance reviews.\n\nwww.oig.dhs.gov                                           14                                                OIG-13-87\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n         standardized, FEMA-wide privacy training was too general to address the variety\n         of conditions at disaster relief sites.\n\n         Without specialized field training, workers do not understand fully how to apply\n         proper privacy practices and safeguards while performing services at disaster\n         relief sites. Fifty-eight percent (103 of 177) of field managers we interviewed\n         stated that specialized field training consistent withfthe DHSfPrivacyfOfficef\n         HandbookfforfSafeguardingfSensitivefPersonallyfIdentifiablefInformation is\n         needed to help disaster workers in protecting PII during disaster relief operations.\n         In addition, 46 percent of survey comments from field managers and employees\n         recommended specialized privacy training for the disaster relief workforce.12\n\n         When disaster workers are not adequately trained to safeguard PII while\n         performing disaster relief operations, privacy incidents can occur. For example,\n         as illustrated in figure 7, in October 2008, a disaster worker who had not\n         received specialized field training on handling PII violated privacy requirements\n         when acquiring a mailing distribution list to communicate with disaster\n         applicants. He created an unauthorized copy of a system of records by\n         downloading the PII of 13,000 applicants from the official database into\n         spreadsheets. He did not encrypt the spreadsheets when he transmitted them\n         over the Internet to an unauthorized third party, who used them to create the\n         mailing distribution list.\n\n         Figure 7. FEMA Privacy Incident\n\n\n\n\n         Source: OIG analysis of FEMA Privacy Incident Report, reported October 2008\n\n\n12\n  In January 2012, we emailed employees a survey on FEMA\xe2\x80\x99s culture of privacy that included questions on topics such\nas integrating privacy safeguards in daily operations. (See appendix H for the survey methodology.)\n\nwww.oig.dhs.gov                                          15                                               OIG-13-87\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       The disaster worker reported his actions as a privacy incident, but he was unable\n       to confirm whether the third party had destroyed the spreadsheets and the\n       mailing distribution list. After an investigation, FEMA compelled the third party\n       to destroy the PII on his computer. FEMA issued a written reprimand to the\n       disaster worker and required him to take additional privacy training on\n       safeguarding PII.\n\n       In October 2012, a disaster worker caused another incident at a disaster relief\n       site when he created a spreadsheet that contained the PII (names and Social\n       Security numbers) of 1,000 other disaster workers and saved it on the local\n       network. The PII was accessible to all users on the local network because the\n       spreadsheet was not password protected. When another disaster worker\n       opened the file and realized that the spreadsheet contained PII, he reported it as\n       a privacy incident.\n\n       Survey Comments\n\n       We received 771 comments from survey respondents working at disaster relief\n       sites who recommended numerous ways to make privacy training more useful\n       and applicable to their work environments. Figure 8 presents the distribution of\n       responses by topic.\n\n       Figure 8. Field Recommendations for Privacy Training and Awareness\n\n\n\n\n       Source: OIG\n\n       Field respondents to our survey indicated that specialized training and\n       supplementary privacy awareness activities are necessary to improve current\n\n\nwww.oig.dhs.gov                            16                                   OIG-13-87\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n       privacy training content, delivery methods, frequency, and effectiveness. The\n       following are examples of improvements suggested by survey respondents:\n\n       \xe2\x80\xa2\t Specialized training customized to their duties, which would use realistic\n          examples and scenarios.\n\n       \xe2\x80\xa2\t Increased privacy awareness activities, such as routine emails discussing core\n          privacy principles and posters placed near frequently visited work areas (such\n          as printers and file cabinets).\n\n       \xe2\x80\xa2\t Improved privacy training delivery, such as in-person training, privacy\n          workshops, informative online videos, and videoconferencing.\n\n       \xe2\x80\xa2\t More frequent privacy training, such as scheduled, privacy-focused staff\n          briefings and meetings related to recent projects during which supervisors\n          incorporate practical privacy discussions.\n\n       Recommendations\n\n       We recommend that the Deputy Administrator of FEMA:\n\n       Recommendation #2:\n\n       Conduct privacy assessments of disaster relief operations to improve\n       accountability and to meet privacy requirements.\n\n       Recommendation #3:\n\n       Implement specialized privacy training for the disaster relief workforce.\n\n       Management Comments and OIG Analysis\n\n       FEMA concurs with recommendation #2. The FEMA Privacy Officer is developing\n       a framework for conducting privacy compliance site inspections, to include\n       disaster relief operations. We consider this recommendation open and\n       unresolved.\n\n       FEMA concurs with recommendation #3. The FEMA Privacy Officer is developing\n       specialized privacy training. We consider this recommendation open and\n       unresolved.\n\n\nwww.oig.dhs.gov                            17                             \t        OIG-13-87\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n\n\n\n       FEMA-wide Privacy Training and Awareness\n\n\n       Training and awareness activities help build an effective culture of privacy in the\n       workplace. However, managers do not have an effective method to monitor the\n       completion of FEMA\xe2\x80\x99s standardized privacy training. In addition, managers and\n       employees suggested ways that FEMA could supplement privacy training\n       through creative activities that reinforce employee privacy responsibilities.\n\n       Enforce Standardized, FEMA-wide Privacy Training\n\n       FEMA has implemented a standardized privacy training course, but it does not\n       have an effective tracking system to monitor whether employees have\n       completed the training requirement. This situation makes it difficult to enforce\n       the privacy training requirement. DHSfManagementfInstructionf047-01-001,\n       PrivacyfPolicyfandfCompliance, requires initial privacy training and annual\n       refresher training for all managers, employees, and contractors. Although the\n       FEMA workforce must complete the web-based course (IS-105), only 1,070\n       employees were reported to have completed the course. In addition, FEMA did\n       not use the DHS Privacy Office\xe2\x80\x99s PrivacyfatfDHS:ffProtectingfPersonalfInformation,\n       which was created for department-wide implementation this year to meet the\n       mandatory privacy training requirement. This course provides a broad overview\n       of privacy responsibilities, privacy principles, legal requirements, and penalties.\n\n       FEMA cannot efficiently identify and track employees who have not completed\n       the required course. The Headquarters Office of Distance Learning did not\n       purchase this capability because of budgetary constraints when it instituted the\n       FEMA Employee Knowledge Center (FEKC) in February 2012. FEKC tracks only\n       those who have completed the course. Therefore, to enforce the requirement,\n       managers must compare personnel rosters, contractor lists, and the FEKC list to\n       determine those who have not completed the course.\n\n       In addition, there is no centralized roster of FEMA personnel. Conducting a\n       manual review is more complicated because thousands of workers and\n       contractors are assigned to different managers, regions, or disaster relief sites\n       each year. Field managers reported that they cannot enforce the training\n       requirement because it is too time-consuming to determine which workers have\n       not completed the course. In addition, Headquarters and regional training units\n       declined to assist managers in performing manual reviews because of the\n       amount of required work.\n\n\nwww.oig.dhs.gov                            18                                     OIG-13-87\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\n       Survey Respondents Suggest Privacy Improvements\n\n       Survey respondents suggested ways that FEMA can improve its culture of\n       privacy. We received 4,932 individual comments and suggestions from survey\n       respondents on ways that FEMA could be more effective in protecting PII. Figure\n       9 shows the distribution of survey respondents\xe2\x80\x99 comments in five categories.\n\n       Figure 9. Improvements for FEMA Culture of Privacy Development\n\n\n\n\n       Source: OIG\n\n       According to survey respondents, FEMA could increase manager and employee\n       awareness of privacy requirements. For example, they recommended that\n       managers enforce privacy protections (32 percent of comments) and\n       supplement privacy training to improve overall employee awareness of the\n       importance of protecting PII (27 percent). In addition, respondents suggested\n       privacy campaigns, periodic broadcast messages, and emails that remind\n       employees on how to apply privacy policies on their jobs. Respondents also\n       recommended that managers review and improve physical safeguards for PII\n       (19 percent), identify and address specific privacy risks in different employee\n       work environments (12 percent), and increase IT security for PII (10 percent).\n\n       Recommendation\n\n       We recommend that the Deputy Administrator of FEMA:\n\n\n\n\nwww.oig.dhs.gov                           19                                   OIG-13-87\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n                           Department of Homeland Security\n\n\n       Recommendation #4:\n\n       Improve managers\xe2\x80\x99 capability to monitor and enforce the completion of the\n       standardized, FEMA-wide privacy training requirements.\n\n       Management Comments and OIG Analysis\n\n       FEMA concurs with recommendation #4. The FEMA Privacy Officer and the\n       FEMA Office of Training and Development are developing a more comprehensive\n       compliance element into the annual privacy training. We consider this\n       recommendation open and unresolved.\n\n\n\n\nwww.oig.dhs.gov                          20                                 OIG-13-87\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\nAppendix A\nObjectives, Scope, and Methodology\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the HomelandfSecurityfActfoff2002 (Public Law 107-296) by amendment\nto the InspectorfGeneralfActfoff1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the Department. Our objectives were to determine\nwhether FEMA has plans and activities that instill a culture of privacy that protects\nsensitive PII and ensures compliance with Federal privacy laws and regulations. As\nbackground for this audit, we reviewed Federal laws and guidance related to FEMA\xe2\x80\x99s\nresponsibilities for privacy protections. In addition, we interviewed officials from the\nDHS Privacy Office on FEMA\xe2\x80\x99s privacy compliance status and reporting. Also, we\nreviewed testimonies, documentation, and reports about FEMA\xe2\x80\x99s privacy, IT security,\nand field program management.\n\nAs part of our fieldwork, we interviewed FEMA\xe2\x80\x99s Privacy Officer and 188 managers,\nemployees, and disaster workers. We conducted field site evaluations at 3 national\nprocessing service centers (which included call centers), 1 mail center, 3 regional offices,\n3 joint field offices, 1 initial operating facility, and 13 disaster recovery centers to\ndetermine areas for improvements in privacy controls. Also, we emailed a survey to\nFEMA employees to obtain their recommendations for improving their understanding of\nprivacy and for an indication of their privacy knowledge. In response, we received 4,932\nindividual comments on privacy risks, integrating privacy in daily operations, and\nchallenges in FEMA\xe2\x80\x99s privacy stewardship. (See appendix H for details.)\n\nWe analyzed training issues and FEMA guidance on privacy, IT, and records\nmanagement to determine whether they met Federal privacy and security laws and\nregulations. (See appendix C for references.) We also reviewed PTAs, PIAs, and SORNs\nfor 74 operational IT systems in the FEMA inventory. (See appendix E for details.) In\naddition, we interviewed IT professionals at FEMA headquarters and disaster relief sites,\nas well as reviewed reports regarding 430 rogue or unauthorized IT systems.\n\nWe conducted this performance audit between January and October 2012 pursuant to\nthe InspectorfGeneralfActfoff1978, as amended, and according to generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based upon our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based upon our\naudit objectives.\n\nwww.oig.dhs.gov                             21                                     OIG-13-87\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\nAppendix B\nManagement Comments to the Draft Report\n\n                                                                                 U.S. I>tplrtml\'nlOr Ilomtll nd   S\xc2\xaburil~\'\n                                                                                 Washington. I>C 200172\n\n\n\n\n                                             FEB 0 1 2013\n\n          MEMORANDUM FOR:              Frank Deffer\n                                       Assistant Inspector General\n                                       Information Technology Audits\n                                       Department of Homeland Securi ty\n\n          FROM:                        Dav;d J. Kaufman             \\\\\\,.~\n                                                                   .{\n                                       Associate Adminislralor for   t. .r \')\n                                       Policy, Program Analysis and International Affairs\n\n          SUBJECT:                      Federal Emergency Managemelll Agency Pril\'acy Siewardship -\n                                        For Official Use Only\n                                        DIG Project No. 11-06.J-ITA-FEMA\n\n          This memorandum serves as the Federal Emergency Management Agency\'s (FEMA) official\n          written response to the Federal Emergency M{magellllmi Agency Privacy Stewardship - For\n          Official Use Ol1ly DIG Project No. 12-064-l1i J-FElvlA.\n\n          FEMA has made significant progress, in the last year alone, in developing a cu lture of privacy\n          and addressing compliance with privacy requirements. Tn October 2011, FEMA named a new\n          Privacy Officer to lead FEMA\'s effort to create a culture of privacy awareness and compliance\n          throughout the Agency. Soon after his arrival , the FEMA Privacy Officer updated the FEMA\n          Privacy Office\' s mission statement and established a new vision w ith attendant program\n          objectives. Also since then, the FEMA Privacy Officer has sat on FEMA \' s Policy Working\n          Group (PWG) to ensure that all polices are developed with privacy interests considered and to\n          minimize the impact on individual privacy by necessary modifications.\n\n          Last year alone, the FEMA Privacy Office increased FEMA \' s FISMA Privacy Score for SORNs\n          from 98 % to 100 % and P IAs sim ilarly increased from 79 % to 100 %. This was achieved\n          through the FEMA Privacy Officer\' s FISMA Pri vacy Compliance Surge to bring all known\n          FEMA systems into compliance with privacy laws and related Office of Management and\n          Budget (OMB), DHS, and FEMA privacy policies and gu idance. This effort resulted in FEMA\'s\n          achievement of a 100 % FISMA Privacy Score for both PIAs and SORNs and this work was\n          completed by June 30, 2012.\n\n          FEMA\' s privacy incident response and mitigation continues to be expeditious, thorough, and\n          complete. FEMA\'s d iverse mission requires the use of a lot of information about individuals as\n          we work to respond to and provide relief for disaster victims.\n\n\n\n\nwww.oig.dhs.gov                                           22                                                                 OIG-13-87\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n\n          FEMA privacy training continues to develop and grow and that will continue this year with\n          specific training for the disaster relief workforce. Last year, the FEMA Privacy Officer\n          revamped the mandatory Annual Privacy Awareness Training module and implemented it as\n          both an instructor-led and on-line independent study course; hosted Privacy Compliance\n          Foundations training sessions for IT security professionals, program and project management\n          professionals, system managers, and other personnel who handle or are responsible for ensuring\n          that electronic systems are in compliance with the privacy legal framework; and continues initial\n          privacy awareness training on a weekJy basis to all newly hired FEMA employees and\n          contractors. We are confident, as an Agency, that we are moving in the right direction with\n          privacy and we agree that work remains to be done.\n\n          Below are our specific comments on the draft report and specific responses to each\n          reconunendation.\n\n          RetommendatioD 1:\n          That the Deputy Administrator of FEMA implement a plan and timeline to identify and mitigate\n          privacy risks in the 430 unauthorized systems that contain PII.\n\n          FEMA Response: Concur\n          FEMA\'s ChiefInformation Officer who. under the Federal Information Security Management\n          Act (FISMA). holds the responsibility for maintaining the FEMA system inventory, is reviewing\n          the systems identified during this audit for integrity in addition to the overall accuracy of the\n          inventory. An analysis conducted by the FEMA OCIO has revealed that the actual nwnber of\n          unauthorized systems is far less than 430, and of those remaining, even fewer contain personally\n          identifiable infonnation (PH). The FEMA Privacy Officer is working with the FEMA CIO to\n          mitigate the privacy risks associated with the actual nwnber of systems that contain pn. "This is\n          being done by using the established DHS Privacy Office compliance process that includes the\n          privacy legal framework. This is done by conducting a Privacy Threshold Analysis (PTA) first.\n          Of those systems that contain PII, a determination is made as to whether a Privacy Impact\n          Assessment (PIA) is needed, or whether coverage under an already established PIA exists, and\n          whether a System of Records Notice (SORN) is needed. or whether coverage under an already\n          established SORN exists. 430 PTAs, PIAs, and SORNs are not needed or required.\n\n\n          Recommendation 2:\n          That the Deputy Administrator of FEMA direct the FEMA Privacy Officer to conduct privacy\n          assessments of disaster relief operations to improve accountability and to meet privacy\n          requirements.\n\n\n\n\n                                                          2\n\n\n\n\nwww.oig.dhs.gov                                          23                                                   OIG-13-87\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n\n\n          FEMA RespoDse: Concur\n          Prior to the conclusion of this audit. the FEMA Privacy Officer had already begun developing a\n          framework for conducting privacy compliance site inspections applicable to all FEMA locations,\n          including disaster relief operations, to improve accountability and to meet privacy requirements.\n\n\n          Recommendation 3:\n          That the Deputy Administrator implement specialized privacy training for the disaster relief\n          workforce.\n\n          FEMA RespoDse: Concur\n          Prior to the conclusion of this audit. the FEMA Privacy Officer had already begun developing\n          specialized privacy training for the diverse FEMA mission, to include specialized privacy\n          training for disaster relief workforce.\n\n\n           Recommendation 4:\n          That the Deputy Administrator ofFEMA improve managers\' capability to monitor and enforce\n          the completion of the standardized, FEMA-wide privacy training requirements.\n\n          FEMA RespoDse: Concur\n          Prior to the conclusion of this audit, the FEMA Privacy Officer had already begWl working with\n          the FEMA Training and Development Office to develop a more comprehensive compliance\n          element into the annual privacy training.\n\n          Thank you for the work that you and your team did to better infonn us throughout this audit. We\n          look forward to the final report. Please direct any questions regarding this response to Gary\n          McKeon, FEMA\'s Branch Chief Audit Liaison Office, at 202-646-1308.\n\n\n\n\n                                                            J\n\n\n\n\nwww.oig.dhs.gov                                            24                                                 OIG-13-87\n\n\x0c                                     OFFICE OF INSPECTOR GENERAL\n                                          Department of Homeland Security\n\n\nAppendix C\nLegislation, Memoranda, Directives, and Guidance Related to\nthe FEMA Privacy Stewardship Audit\n                                                         LEGISLATION\n\nPrivacyfActfoff1974,fasfamended, 5 U.S.C. \xc2\xa7 552a.\nhttp://www.gpo.gov/fdsys/pkg/USCODE-2011-title5/pdf/USCODE-2011-title5-partI-chap5-subchapII-sec552a.pdf\n\nE-GovernmentfActfoff2002, Public Law 107-347, 116 Stat. 2899.\nhttp://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf\nf\nFederalfInformationfSecurityfManagementfActfoff2002, 44 U.S.C. \xc2\xa7 3541, et seq.\nhttp://csrc.nist.gov/drivers/documents/FISMA-final.pdf\n\nImplementingfRecommendationsfoffthef9/11fCommissionfAct off2007, Public Law 110-53, 121 Stat. 266, 360.\nhttp://www.nctc.gov/docs/ir-of-the-9-11-comm-act-of-2007.pdf\n\nHomelandfSecurityfActfoff2002,fasfamended, Public Law 107-296, 116 Stat. 2135, 2179.\nhttp://www.gpo.gov/fdsys/pkg/PLAW-107publ296/pdf/PLAW-107publ296.pdf\n\nPaperworkfReductionfActfoff1995, 44 U.S.C. \xc2\xa7 3501, et seq.\nhttp://www.gpo.gov/fdsys/pkg/PLAW-104pub13/html/PLAW-104publ13.htm\n\n                                                     OMB MEMORANDA\n\nOMBfM-07-16: SafeguardingfAgainstfandfRespondingftofthefBreachfoffPersonallyfIdentifiablefInformation (May 22, 2007).\nhttp://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf\n\nOMBfM-11-29: ChieffInformationfOfficerfAuthorities (August 8, 2011).\nhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-29.pdf\n\nOMBfM-12-20:ffFYf2012fReportingfInstructionsfforfthefFederalfInformationfSecurityfManagementfActfandfAgencyfPrivacyf\nManagementf(October 2, 2012).\nhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-20.pdf\n\n                                                 DIRECTIVES AND GUIDANCE\nf\n\nDHSfManagementfDirectivefNumberf047-01: PrivacyfPolicyfandfCompliancef(July 7, 2011). (No External Link Available) \n\n\nDHSfManagementfInstructionfNumberf047-01-001: PrivacyfPolicyfandfCompliancef(July 25, 2011). (No External Link Available) \n\n\nDHSfMemorandum: DesignationfoffComponentfPrivacyfOfficers (June 5, 2009). (No External Link Available)\nf\nDHSfPrivacyfOfficefPrivacyfPolicyfGuidancefMemorandumfNumberf2008-02: DHSfPolicyfRegardingfPrivacyfImpactfAssessmentsf\n(December 30, 2008). http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-02.pdf\nf\nDHSfPrivacyfOffice:ffHandbookfforfSafeguardingfSensitivefPersonallyfIdentifiablefInformationfatfthefDepartmentfoffHomelandf\nSecurity (March 2012). http://www.dhs.gov/xlibrary/assets/privacy/dhs-privacy-safeguardingsensitivepiihandbook-march2012.pdf\n\nDHSfPrivacyfOffice: GuideftofImplementingfPrivacy (June 2010).\nhttp://www.dhs.gov/xlibrary/assets/privacy/dhsprivacyoffice-guidetoimplementingprivacy.pdf\n\nDHSfPrivacyfOffice: PrivacyfIncidentfHandlingfGuidance (January 26, 2012).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_pihg.pdf\n\n\n\nwww.oig.dhs.gov                                                25                                                  OIG-13-87\n\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\nDHSfPrivacyfOffice: PrivacyfTechnologyfImplementationfGuide (August 16, 2007).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_ptig.pdf\nf\n\nDHSfPrivacyfOffice: PrivacyfImpactfAssessments:ffThefPrivacyfOfficefOfficialfGuidance (June 2010). \n\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_guidance_june2010.pdf\nf\n\nDHSfPrivacyfOffice:ffSystemfoffRecordsfNotices:ffThefPrivacyfOffice OfficialfGuidance (April 2008). \n\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_guidance_sorn.pdf\n\n\nDHSfManagementfDirectivefNumberf0007.1:ffInformationfTechnologyfIntegrationfandfManagement (March 15, 2007). (No External\nLink Available)\n\nDHSf4300A: SensitivefSystemsfPolicyfDirectivefVersionf9.0.2 (March 19, 2012). (No External Link Available)f\n\nNationalfInstitutefoffStandardsfandfTechnologyfSpecialfPublicationf800-88: GuidelinesfforfMediafSanitizationf(September 2006).\nhttp://www.nist.gov/customcf/get_pdf.cfm?pub_id=50819\n\nFederalfCIOfCouncil,fPrivacyfCommittee: BestfPractices:ffElementsfoffafFederalfPrivacyfProgramfVersionf1.0 (June 2010).\nhttp://www.cio.gov/Documents/Elements-Federal-Privacy-Program-v1.0_June-2010.pdf\n\nU.S.fChieffInformationfOfficer: 25fPointfImplementationfPlanftofReformfFederalfInformationfTechnologyfManagementff\n(December 9, 2010). http://www.cio.gov/documents/25-Point-Implementation-Plan-to-Reform-Federal%20IT.pdf\n\n                                                       FEMA DOCUMENTS\n\n44fC.F.R.fCh.fI,fSubpartfE, ReportfonfNewfSystemsfandfAlterationsfoffExistingfSystems,fSectionf6.70 (October 1, 2011).\nhttp://www.gpo.gov/fdsys/pkg/CFR-2011-title44-vol1/pdf/CFR-2011-title44-vol1-sec6-70.pdff\n\nFEMAfStandardfOperatingfProcedure: ElectronicfandfHardfCopyfSanitizationfandfRelease (September 2, 2011).ff(No External Link\nAvailable)\n\nFEMAfDirectivef140-1: InformationfTechnologyfSecurityfPolicy (January 14, 2012). (No External Link Available)\n\nFEMAfDirectivef140-2: InformationfTechnologyfIntegrationfandfManagement (February 10, 2012). (No External Link Available)\n\nFEMAfMemorandum: UnauthorizedfInformationfTechnologyfSystems (March 13, 2012). (No External Link Available)\n\nFEMAfMemorandum: DelegatingfAuthoritiesftofRegionalfAdministrators (February 6, 2012). (No External Link Available)\n\nFEMAfMemorandum: RegionalfStaffingfInitiative (August 4, 2010). (No External Link Available)f\n\n\n\n\nwww.oig.dhs.gov                                                  26                                                      OIG-13-87\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\nAppendix D\nComponent-Level Privacy Officer Designation and Duties\nFigure 10. Component-Level Privacy Officer Designation and Duties\n                      COMPONENTS TO DESIGNATE PRIVACY OFFICERS\n\n            \xef\xbf\xbd    Federal Emergency Management Agency\n            \xef\xbf\xbd    National Protection and Programs Directorate\n            \xef\xbf\xbd    Office of Intelligence and Analysis\n            \xef\xbf\xbd    Science & Technology Directorate\n            \xef\xbf\xbd    Transportation Security Administration\n            \xef\xbf\xbd    U.S. Citizenship and Immigration Services\n            \xef\xbf\xbd    U.S. Coast Guard\n            \xef\xbf\xbd    U.S. Customs and Border Protection\n            \xef\xbf\xbd    U.S. Immigration and Customs Enforcement\n            \xef\xbf\xbd    U.S. Secret Service\nSource: DHS Designation Memorandum, June 5, 2009 \n\n                          COMPONENT PRIVACY OFFICER DUTIES\n  Maintain an ongoing review of component IT systems, technologies, rulemakings, programs, pilot\n  projects, information sharing, and other activities to identify collections and uses of PII and any other\n  attendant privacy impacts.\n  Coordinate with system and program managers, together with the DHS Privacy Officer and component\n  counsel to complete required privacy compliance documentation.\n  Review component policies and directives to ensure compliance with DHS privacy policy, privacy laws\n  applicable to DHS, and Federal Government-wide privacy policies.\n\n  Oversee component implementation of DHS privacy policy.\n\n  Provide the DHS Privacy Officer all component information necessary to meet the Department\xe2\x80\x99s\n  responsibilities for reporting to Congress or OMB on DHS activities that involve PII or otherwise impact\n  privacy.\n  Oversee component\xe2\x80\x99s implementation of procedures and guidance issued by the DHS Privacy Officer for\n  handling suspected and confirmed privacy incidents; notify the DHS Privacy Officer and other\n  Department offices of such incidents as component procedures dictate; ensure that privacy incidents\n  have been properly mitigated; and recommend that the DHS Privacy Officer close privacy incidents upon\n  mitigation.\n  Process privacy complaints from organizations, DHS employees, and other individuals, whether\n  received directly or by referral from the DHS Privacy Officer.\n  Oversee component privacy training and provide educational materials, consistent with mandatory and\n  supplementary training developed by the DHS Privacy Officer.\n  Maintain an ongoing review of component data collection forms, whether electronic or paper-based, to\n  ensure compliance with the Privacy Act Statements and implementation of regulations and guidelines.\n  Review component record retention schedules for paper or electronic records that contain PII to ensure\n  privacy interests are considered in the establishment of component record disposition policies.\n  Advise component on information sharing activities that involve the disclosure or receipt of PII and\n  participate in the review of Information Sharing Access Agreements.\n  Document and implement procedures for identifying, processing, tracking, and reporting on Privacy Act\n  Amendment requests.\nSource: DHS Management Instruction Number 047-01-001\n\nwww.oig.dhs.gov                                       27                                              OIG-13-87\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\nAppendix E\nTAFISMA Systems That Affect Privacy: Compliance Status\nPrivacy protections must be incorporated during the development and operation of\nsystems and programs that affect privacy. DHS privacy policy guidance requires that\ncomponents conduct a privacy threshold analysis (PTA) when they propose a new\nsystem of records or make significant changes to an existing system. The analysis of\neach approved system must be updated every three years. DHS components are to\nconduct privacy impact assessments (PIA) of all systems that collect, use, maintain, or\ndisseminate PII, consistent with the E-GovernmentfActfoff2002. The PrivacyfActfoff1974\nrequires agencies to issue public notice for systems of records under their control. A\nsystem of records notice (SORN) informs the public about what, why, and how PII are to\nbe collected, retained, shared, accessed, and corrected. The status of FEMA\xe2\x80\x99s privacy\ncompliance analysis and documentation may affect how well it addresses privacy issues\nand mitigates risks to PII.\n\nFigure 11. FEMA PII Compliance Status for 46 IT Systems\n          Legend                                                   Description\n     PIA/SORN Name\n                                       Privacy impact assessment or system of records notice completed.\n     Date of Document\n        Completed\n                                                      Privacy threshold analysis completed.\n     Date of Document\n        Completed\n                                                Privacy threshold analysis completed but expired.\n     Date of Document\n      Not Completed                               Privacy impact assessment not completed.\n      Not Applicable                  Privacy impact assessment or system of records notice not required.\n\n\n                                    Privacy\n                                                    Privacy Impact\n                                 Threshold                                       System of Records Notice\n   Name of IT System                                 Assessment\n                                  Analysis                                              (Required: 45)\n                                                    (Required: 38)\n                              (Required: 46)\nDisaster Response and Recovery Programs Information Technology Systems and Associated\nApplications support the efforts of FEMA\xe2\x80\x99s disaster assistance mission for individuals and families.\nCollections may include name, address, Social Security number, birthdates, telephone number, National\nEmergency Management Information System (NEMIS) registration ID, disaster-related damage information,\ninsurance information, financial information, education records, vehicle identifiers, criminal history information,\nand information to verify identity.\n   Disaster Assistance\n                                 Completed       DHS/FEMA/PIA-012              DHS/FEMA-008, 74 FR 48763\n  Improvement Program\n                                Jan 18, 2011         Dec 31, 2008                        Sep 24, 2009\n          (DAIP)\n   National Emergency\n   Family Registry and           Completed       DHS/FEMA/PIA-14(a)            DHS/FEMA-008, 74 FR 48763\n     Locator System              Mar 8, 2010          Jul 14, 2011                       Sep 24, 2009\n        (NEFRLS)\n  Emergency Notification         Completed                                       DHS/ALL-014, 73 FR 61888\n                                                     Not Applicable\n      System (ENS)              Oct 21, 2010                                             Oct 17, 2008\n\n\n\nwww.oig.dhs.gov                                        28                                             OIG-13-87\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n                                Privacy\n                                                   Privacy Impact\n                               Threshold                                      System of Records Notice\n  Name of IT System                                 Assessment\n                                Analysis                                           (Required: 45)\n                                                   (Required: 38)\n                             (Required: 46)\n     NEMIS Individual           Completed         DHS/FEMA/PIA-027             DHS/FEMA-008, 74 FR 48763\n         Assistance            Dec 29, 2011          June 29, 2012                     Sep 24, 2009\nGrant Programs Information Technology Systems and Associated Applications support the efforts of\nFEMA\xe2\x80\x99s proactive nondisaster grant programs. Collections may include name, work address, Social Security\nnumber (used as Employer Identification Number), financial information, work email address, and work\nnumbers for telephone, fax, and, cell phone, and information on activity funded by the grant.\n   Assisted Firefighters        Completed         DHS/FEMA/PIA-013             DHS/FEMA-004, 74 FR 39705\n        Grant (AFG)             Dec 9, 2011           Jul 14, 2009                      Aug 7, 2009\n                                Completed         DHS/FEMA/PIA-013             DHS/FEMA-004, 74 FR 39705\n  Grants Reporting Tool\n                                Nov 3, 2009           Jul 14, 2009                      Aug 7, 2009\n     Non-Disaster (ND)          Completed         DHS/FEMA/PIA-013             DHS/FEMA-004, 74 FR 39705\n           Grants               Jul 2, 2008           Jul 14, 2009                      Aug 7, 2009\n Hazard Mitigation Grant        Completed         DHS/FEMA/PIA-025             DHS/FEMA-009, 77 FR 17783\n          Program              Feb 15, 2012           Jun 28, 2012                      Jul 23, 2012\nMitigation Programs Information Technology Systems and Associated Applications support the efforts\nof FEMA\xe2\x80\x99s mitigation and disaster grants missions implementing mitigation activities to reduce or eliminate risk\nof future damage to life or property. Collected information may include name, address of damaged property,\nmailing address, telephone number, financial information, insurance status, insurance claims, and damaged\nproperty contents.\n   Mapping Information          Completed         DHS/FEMA/PIA-003 DHS/FEMA/NFIP/LOMA-1, 71 FR 7990\nPlatform \xe2\x80\x93 Data Center 2        Feb 2, 2011           Jan 27, 2006                     Feb 15, 2006\n                                Completed         DHS/FEMA/PIA-006          DHS/FEMA/2006-002, 69 FR 75079\n          eGrants\n                               Feb 10, 2011           Jan 19, 2007                     Dec 15, 2004\n                                Completed         DHS/FEMA/PIA-007             DHS/FEMA-003, 73 FR 77747\n    Map Service Center\n                                Sep 7, 2006           Feb 12, 2007                     Dec 19, 2008\n  Map Service Center \xe2\x80\x93\n       On-Line Digital          Completed         DHS/FEMA/PIA-007             DHS/FEMA-003, 73 FR 77747\nDistribution Center (MSC        May 7, 2010           Feb 12, 2007                     Dec 19, 2008\n       On-Line DDC)\n       Total Records            Completed         DHS/FEMA/PIA-009              DHS/ALL-003, 73 FR 71656\nInformation Management          May 3, 2012           Sep 8, 2008                      Nov 25, 2008\nNational Flood Insurance\n                                Completed         DHS/FEMA/PIA-011             DHS/FEMA-003, 73 FR 77747\n   Program Information\n                                Jul 1, 2009           Nov 26, 2008                     Dec 19, 2008\n   Technology Systems\nEmergency Management\n                                Completed         DHS/FEMA/PIA-013             DHS/FEMA-004, 74 FR 39705\n     Mission Integrated\n                               Jan 17, 2012           Jul 14, 2009                      Aug 7, 2009\n        Environment\n Enterprise Coordination\n                                Completed         DHS/FEMA/PIA-023\n  and Approval Process                                                                 Not Applicable\n                                Mar 7, 2011          May 21, 2012\n          System\n Community Information          Completed                                      DHS/FEMA-003, 73 FR 77747\n                                                     Not Completed\n          System               Dec 13, 2011                                            Dec 19, 2008\nNational Preparedness Programs Information Technology Systems and Associated Applications\nsupport FEMA\xe2\x80\x99s mission to assist citizens and first responders in preparation for all hazards through training\nand exercise programs. Collections may include name, address, telephone number, email address, citizenship,\nemployment status, organizational affiliations, professional credentials, user names, and passwords.\n     Lessons Learned            Completed           DHS/ALL/PIA-015             DHS/ALL-004, 74 FR 49882\n    Information Sharing        Feb 10, 2011           Jun 15, 2009                     Sep 29, 2009\n                                Completed         DHS/FEMA/PIA-008              DHS/ALL-004, 74 FR 49882\nFirst Responder Training\n                               Nov 16, 2009           Jul 16, 2008                     Sep 29, 2009\n\n\n\n\nwww.oig.dhs.gov                                      29                                           OIG-13-87\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n                                 Privacy\n                                                     Privacy Impact\n                                Threshold                                        System of Records Notice\n  Name of IT System                                   Assessment\n                                 Analysis                                             (Required: 45)\n                                                     (Required: 38)\n                              (Required: 46)\n      Corrective Action          Completed         DHS/FEMA/PIA-016             DHS/FEMA-011, 76 FR 19107\n      Planning System          Aug 10, 2009             Mar 3, 2011                        Apr 6, 2011\nDesign and Development           Completed         DHS/FEMA/PIA-016             DHS/FEMA-011, 76 FR 19107\n           System               Jan 26, 2010            Mar 3, 2011                        Apr 6, 2011\n National Exercise Master\n                                 Completed         DHS/FEMA/PIA-016             DHS/FEMA-011, 76 FR 19107\n     Scenario Event List\n                               Nov 15, 2010             Mar 3, 2011                        Apr 6, 2011\n          (NxMSEL)\n      National Exercise          Completed         DHS/FEMA/PIA-016             DHS/FEMA-011, 76 FR 19107\n     Scheduling System         Aug 21, 2009             Mar 3, 2011                        Apr 6, 2011\n    Center for Domestic\n                                 Completed         DHS/FEMA/PIA-022             DHS/FEMA-011, 76 FR 19107\n  Preparedness Learning\n                                Jun 18, 2008           Mar 29, 2012                        Apr 6, 2011\n   Management System\n      FEMA Employee\n                                 Completed                                       DHS/ALL-003, 73 FR 71656\n     Knowledge Center                                 Not Applicable\n                                Jul 19, 2006                                              Nov 25, 2008\n           (FEKC)\nUnited States Fire Administration Programs Information Technology Systems and Associated\nApplications support the training programs of the National Fire Academy and other United States Fire\nAdministration programs. Collected information may include name, address, telephone number, email\naddress, citizenship, educational information, disability information, organizational affiliation, and fire\ndepartment identification number.\n     United States Fire          Completed          DHS/ALL/PIA-006              DHS/ALL-002, 73 FR 71659\nAdministration Web Farm        Sep 17, 2009            Jun 15, 2007                       Nov 25, 2008\n    National Emergency\n                                 Completed         DHS/FEMA/PIA-022              DHS/ALL-003, 73 FR 71656\n Training Center Learning\n                                April 5, 2010          Mar 29, 2012                       Nov 25, 2008\n      Resource Center\n     United States Fire          Completed         DHS/FEMA/PIA-022             DHS/FEMA-011, 76 FR 19107\n Administration Systems         Jan 18, 2012           Mar 29, 2012                        Apr 6, 2011\n   National Fire Incident        Completed                                      DHS/FEMA-008, 74 FR 48763\n                                                      Not Applicable\n     Reporting System           Feb 6, 2009                                               Sep 24, 2009\nMission Support Systems and Associated Applications support all of FEMA\xe2\x80\x99s missions in disaster\nassistance, proactive grants programs, disaster mitigation grants, and training activities. These overarching\nsystems\xe2\x80\x99 collections may include: name, address, Social Security number, birthdates, telephone number,\nemail address, NEMIS registration ID, disaster-related damage information, insurance information, financial\ninformation, education records, vehicle identifiers, criminal history information, identity verification methods,\nand biometric (fingerprint) data.\n    Logistics Information\n                                 Completed          DHS/ALL/PIA-006              DHS/ALL-010, 73 FR 63181\n   Management System\n                                Feb 8, 2011            Jun 15, 2007                        Oct 23, 2008\n       (LIMS) \xe2\x80\x93 FEMA\n Executive Management            Completed          DHS/ALL/PIA-012              DHS/ALL-002, 73 FR 71659\n           System              Nov 15, 2010            Jan 14, 2009                       Nov 25, 2008\n   Electronic Fingerprint        Completed        DHS/ALL/PIA-014(a)              DHS/ALL-024, 75 FR 5609\n        System (EFS)            Feb 2, 2009            Jun 18, 2009                       Feb 30, 2010\n      Velocity Security\n                                 Completed        DHS/ALL/PIA-014(a)              DHS/ALL-024, 75 FR 5609\n   Management System\n                                Jul 29, 2010           Jun 18, 2009                       Feb 30, 2010\n  (Hirsch) \xe2\x80\x93 Unclassified\n The Full-Spectrum Risk          Completed          DHS/ALL/PIA-015              DHS/ALL-004, 74 FR 49882\n      Knowledgebase             May 2, 2011            Jun 15, 2009                       Sep 29, 2009\n   Integrated Situational\n                                 Completed          DHS/ALL/PIA-036              DHS/ALL-004, 74 FR 49882\n Awareness Visualization\n                               Aug 31, 2011             Mar 8, 2011                       Sep 29, 2009\n         Environment\n\n\n\n\nwww.oig.dhs.gov                                        30                                             OIG-13-87\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n                                 Privacy\n                                                     Privacy Impact\n                                Threshold                                        System of Records Notice\n    Name of IT System                                 Assessment\n                                 Analysis                                             (Required: 45)\n                                                     (Required: 38)\n                              (Required: 46)\nDocument Management\n                                Completed         DHS/FEMA/PIA-009              DHS/FEMA-008, 74 FR 48763\n and Records Tracking\n                               Jan 10, 2007         Sep 10, 2008                      Sep 24, 2009\n        System\n   Quality Assurance            Completed         DHS/FEMA/PIA-015              DHS/FEMA-002, 76 FR 8758\n   Recording System            Apr 25, 2012         Nov 10, 2010                      Feb 15, 2011\n Firehouse Database \xe2\x80\x93           Completed         DHS/FEMA/PIA-019              DHS/OHA-0021, 76 FR 53921\n      Unclassified             Dec 16, 2011         Dec 15, 2011                      Aug 30, 2011\n  Integrated Financial\n                                Completed         DHS/FEMA/PIA-020             DHS/FEMA-0082, 74 FR 48763\nManagement Information\n                               Nov 23, 2011         Dec 16, 2011                     Sep 24, 2009\nSystem (IFMIS)-Merger\n   Authentication and            Completed                                       DHS/ALL-002, 73 FR 71659\n                                                      Not Applicable\n Provisioning Services          Jul 25, 2006                                          Nov 25, 2008\n                                 Completed                                       DHS/ALL-004, 74 FR 49882\nEnterprise Wireless LAN                               Not Applicable\n                                Mar 7, 2012                                           Sep 29, 2009\nIntelligent Roads and Rail       Completed                                       DHS/ALL-004, 74 FR 49882\n                                                      Not Applicable\n    Information System          Jun 5, 2009                                           Sep 29, 2009\n        Real Property\n                                Completed                                        DHS/ALL-004, 74 FR 49882\n   Management System                                  Not Applicable\n                               Jan 19, 2011                                           Sep 29, 2009\n          (RPMS)\n Resource Management            Completed                                        DHS/ALL-004, 74 FR 49882\n                                                      Not Applicable\n           Online               Apr 5, 2010                                           Sep 29, 2009\n   Accounting Package           Completed         DHS/FEMA/PIA-024               DHS/ALL-008, 73 FR 61880\n    System (ACCPAC)            Aug 12, 2010          Jun 8, 2012                       Oct, 17 2008\n       Enterprise Data          Completed         DHS/FEMA/PIA-026               DHS/ALL-004, 74 FR 49882\n         Warehouse             Dec 30, 2011         Jun 29, 2012                      Sep 29, 2009\nSource: TAFISMA\n1\n  DHS SORN listed in figure 11. Additional SORNs apply to this IT system: OPM/GOVT-10 Employee Medical File\nSystem of Records, Jun 19, 2006, 71 FR 35360 and OPM/GOVT-1 General Personnel Records, Jun 19, 2006, 71 FR\n35342.\n2\n  FEMA SORN listed in figure 11. Additional SORNs apply to this IT system: DHS/ALL-007 Accounts Payable System of\nRecords, Oct 17, 2008, 73 FR 61880; DHS/ALL-008 Accounts Receivable System of Records, Oct 17 2008, 73 FR 61885;\nDHS/ALL-019 Payroll, Personnel, Time, and Attendance Records, Oct 23, 2008, 73 FR 62172; DHS/FEMA-2006-0002\nNational Emergency Management Information System \xe2\x80\x93 Mitigation Electronic Grants Management System (NEMIS-\nMT eGrants), Dec 15, 2004, 69 FR 75079; and, GSA/Government-wide 4 Contracted Travel Services Program, Jun 3,\n2009, 41 FR 26700.\n\n\n\n\nwww.oig.dhs.gov                                        31                                             OIG-13-87\n\n\x0c                  OFFICE OF INSPECTOR GENERAL\n                   Department of Homeland Security\n\n\nAppendix F\nFEMA Unauthorized Information Technology Systems\nMemorandum\n\n\n\n\nwww.oig.dhs.gov                32                    OIG-13-87\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                      Department of Homeland Security\n\n\n\n\n          Page 2 - Unauthorized Infonnation Technology Systems\n\n          Unauthorized systems are those systems that do not possess a recognized federal government\n          Cel1ificatioll and Accreditation (C&A); or the: system owner is unable to provide proof that the\n          artifacts required for C&A werc submitted to the Office ofthc Chief Infonnation Officer and\n          meet federal requirements. "RObrue" systems are those systems that have never been through the\n          C&A process .\n\n          Attached please find a list of systems that either alreau), possess a C&A or an~ apprupriatdy\n          matriculating through the System Life Cycle process with the end goal of recciving a C&A\n          If you are operating a system that is not on the attached list, ple ase provide the following\n          infonnation:\n\n               \xe2\x80\xa2   System Name and Acronym\n               \xe2\x80\xa2   System Number\n               \xe2\x80\xa2   System Type\n               \xe2\x80\xa2   System Development Life Cycle Status\n               \xe2\x80\xa2   Indicate:\n                       o Financial System or Non-Financial System\n                       o Critical Asset or Non-Critical Asset\n\n          If you are operating a system with a C&A, but do not maintain the artifacts that prove the C&A\n          was appropriately acquired; plt:a.Se providt: the following information for each such system:\n\n               \xe2\x80\xa2   System Name and Acronym\n               \xe2\x80\xa2   TAF ID\n               \xe2\x80\xa2   System Number\n               \xe2\x80\xa2   System Type\n               \xe2\x80\xa2   System Development Life Cycle Status\n               \xe2\x80\xa2   Indicate:\n                       o Financial System or Non-Financial System\n                       o Critical Asset or non-Critical Asset\n               \xe2\x80\xa2   System Expiration Date\n\n          This is a very serious matter. Therefore, I encourage each of you to conduct a line by line review\n          of the attached list. Be diligent and thorough in the review of the systems under your pUlView\n          and providc me with the requested infonnation beforc or at the conclusion of the Amncsty\n          Period . Please note, at the conclusion of the Amnesty Period ifit is detennined that you are\n          operating unauthorized IT Systems, appropriate corrective action may he taken. Such action \\ViII\n          impact the appropriate Chief and the relevant system owner/operator.\n\n          If you have any questions or concerns please contact Elisa Cruz, Chief Information Sccurity\n          Officer, and project lead for this initiative. She can be reached at 202.646.3541 or\n          Elisa.CruzCa1fema.dhs .gov.\n\n\n\n\nSource: FEMA\n\n\n\nwww.oig.dhs.gov                                           33                                                   OIG-13-87\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                            Department of Homeland Security\n\n\nAppendix G\nDHS Fair Information Practice Principles at Work\nFigure 12. DHS Fair Information Practice Principles at Work\n\n\n\n\nwww.oig.dhs.gov                          34                   OIG-13-87\n\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                           Department of Homeland Security\n\n\n\n     Data Minimization\n     DHS seeks to minimize its collection of PlI through its privacy compliance processes in two ways. First, the DHS Privacy\n     Office works with the Office of the Chief Information Officer on the Paperwork Red uction Act process that seeks to\n     minimize the collection of information, including PI! from the public. Second, PIAs and SORNs require that data\n     ele ments being collected are both relevant and necessary for the stated purpose of the system. DHS places a special\n     em phasis on reduci ng the use of Socia l Security num bers (SSNs). DHS does not coiled SSNs unless there is a valid\n     authority for their collect ion.\n\n     Use Limitation\n     DHS lim its its uses of PI! to those that are permissible under law, and articulated in published PIAs and SORNs. Uses may\n     include sharing both inside and outside of DHS. With in the Department, use of PII is limited to personnel who have an\n     authorized need-to-know for the information. For exte rnal sha ring, these uses are lega lly defined "routine uses," and\n     must be compatible with the original collection and purpose s pecification . Absent a statutory requirement to disclose\n     specific information, s uch routine use sharing decisions are made following a case-by-case review by the DHS Privacy\n     Office to ensure a request meets the requirements. Sharing PlI with external e ntities is done pursuant to routine uses\n     articulated in published SORNs and may also be authorized by a written informa tion sharing agreement, such as a\n     Me morandum of Understanding, between the Department and the receiving agency.\n\n     Data Qual ity and Integrity\n     To e nsu re data quality, DHS collects information directly from the individual where pract icable, especially in benefit\n     administration fun ct ions. Recognizing data e rrors occur, DHS has imple mented redress mechanisms that e nable\n     individuals to seek access and correction of their information through the FOIA/Privacy Act process, as described above.\n     Travelers who experience difficulties may also seek redress through DHS TRIP.\n\n     Security\n     Since privacy and security are complementary, DHS Privacy Office works closely with the Office of the Chief Information\n     Officer and the Olief Informa tion Security Officer to ensure that security controls are put in place in rr systems that are\n     comme nsu ra te with the sensitivity of the information they hold. Privacy require ments are built into the DHS Sensitive\n     Systems Secu rity Policy to sa fegua rd PII from inappropriate, unauthorized, or unlawful access, use, disclosure, or\n     destruction. By law, such syste ms must be certified as meeting relevant security standa rds. Syste m and program\n     managers are requi red to complete a Privacy Threshold Ana lysis, as well as a PIA and SORN, if applicable, before an IT\n     system becomes operational.\n\n     Accountability and Auditing\n     DHS\' privacy protect ions are subject to oversight by its Chief Privacy Officer and Inspector General as well as by the\n     Government Accountability Office and the U.S. Congress. In addition to these oversight mechanisms, component\n     privacy officers, system owne rs, and program managers implement acco untability in their systems and programs\n     through activities such as periodic review of audit logs to e nsure that uses of PH are consiste nt with the purposes\n     articulated for the collect ion of that information, as required by the Privacy Act. Further, as public documents, PIAs a nd\n     SORNs not only demonstrate transpa rency but also serve as means by which the public can hold the Depa rtme nt\n     accountable for its collection, use, and sha ring of PII.\n\n     June 2011\n\n\n\n\n                   Website: www.dhs.gov/privacy         Email: privacy@dhs.gov     Phone: 703-235-0780\n\n\n\nSource: DHS Privacy Office\n\n\n\n\nwww.oig.dhs.gov                                                   35                                                          OIG-13-87\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n\n\nAppendix H\nCulture of Privacy Survey\nWe developed a privacy questionnaire with assistance from the FEMA Privacy Officer. In\nJanuary 2012, we emailed the FEMA employees a hyperlink to a secure site and asked\nthem to complete an online culture of privacy survey. Survey participation was\nvoluntary, confidential, and accessible only by OIG. The purposes of the survey were to\nassess privacy knowledge of rules, regulations, and legislation and to obtain employees\xe2\x80\x99\nresponses to five questions pertaining to privacy risks, examples of privacy risks,\nimprovements to privacy training, integrating privacy safeguards in daily operations, and\npromoting a privacy culture at FEMA.\n\nFEMA\xe2\x80\x99s employee list was used to generate survey invitations. A total of 2,290\nrespondents completed the FEMA Culture of Privacy Survey. The completed survey\nresponse rate was 2,290 (12.8 percent) of 17,837. Figure 13 presents the levels of job\nresponsibility, locations, job types, and lengths of service of respondents who\ncompleted the survey.\n\nFigure 13. Demographics of Survey Respondents\n                                          DEMOGRAPHICS\n                                  (n = 2,290 Survey Respondents)\n            LEVEL OF JOB RESPONSIBILITY                                LOCATION\n            Entry-level Employees (11.9%)                     FEMA Headquarters (18.8%)\n  Mid to High-level (Nonmanager) Employees (65.4%)   FEMA Regions I-X, and Field Activities (40.1%)\n       Supervisors/First-Line Managers (19.3%)        Other, including National Processing Service\n          Executive/Senior Managers (3.4%)                          Centers (41.1%)\n                                                                  LENGTH OF SERVICE\n                    TYPE OF JOB\n                                                              OF PERMANENT EMPLOYEES\n       Permanent, Full-time Employees (42.1%)\n                                                              Less than 3 months (0.2%)\n    Cadre of On-Call Response/Recovery Employees\n                                                                 3\xe2\x80\x9312 months (2.0%)\n                        (27.6%)\n                                                                  1\xe2\x80\x933 years (25.2%)\n        Disaster Assistance Employees (29.0%)\n                                                              More than 3 years (72.6%)\n               Other Employees (1.3%)\nSource: OIG\n\n\n\n\n\nwww.oig.dhs.gov                                36                                          OIG-13-87\n\n\x0c                        OFFICE OF INSPECTOR GENERAL\n                           Department of Homeland Security\n\n\nAppendix I\nMajor Contributors to This Report\nMarj Leaming, Director\nEun Suk Lee, Privacy Audit Manager\nKevin Mullinix, Program Analyst\nBridget Glazier, Referencer\n\n\n\n\nwww.oig.dhs.gov                        37                    OIG-13-87\n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n\n\nAppendix J\nReport Distribution\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nDeputy Chief of Staff\nGeneral Counsel\nExecutive Secretary\nDirector, GAO/OIG Liaison Office\nAssistant Secretary for Office of Policy\nAssistant Secretary for Office of Public Affairs\nAssistant Secretary for Office of Legislative Affairs\nAdministrator of FEMA\nActing Chief Privacy Officer\nChief Information Officer\nFEMA Audit Liaison Office\nFEMA Privacy Office\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                               38                        OIG-13-87\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'